Home / ubuntu / Questions / 1051805
Accepted
Surender Panuganti
Asked: 2018-07-04 04:58:52 +0800 CST

Will NAT bridged LXC unprivileged containers routes the http calls to host http server via the lan network?

  • 772
  1. User A has a http server running on host Ubuntu machine with IP "HostIP" and port 8081.
  2. Now user A creates an unprivileged lxc container (container1)
  3. User A logs into lxc-attach -n container1.
  4. Now the root user inside the container1 makes a call like http://HostIP:8081/api call

My question is does this call routes to the host directly or via the lan network. Basically what are the configuration changes need to be done to avoid the lan traffic if the http server is hosted on the host machine.

Our LXC network configuration is:

lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:30:d2:42

All the containers are running inside the host computer Ubuntu.

networking unprivileged container lxc

1 Answers

  1. Best Answer

    To summarize the details you stated to me so I can answer this:

    • LXC network bridge is set up to be a NAT'd connection
    • LXC network bridge is not directly connected to the LAN network that the host system is on

    With this information in hand, your answer is: Possibly. And it depends entirely on the host computer and whether it's smart enough to not route traffic to the LAN address from the LXC bridge over the LAN network first. (Which isn't always the case)

    When you use the IP address of the host computer that it has for the LAN, it is entirely possible that your computer will be stupid and not properly route the packet, meaning the packet headed to the host computer on the LAN address (and not the private IP range for the LXC network) might get transmitted to the rest of the LAN. This isn't uncommon, but it's definitely not what you're after.

    When working with LXC/LXD guests connected to the host, you should be using the Gateway IP address from the guests (effectively the private IP address on the LXC/LXD bridge that the host computer has, so that it can NAT route traffic to other destinations properly) when intending traffic to go directly from the containers to the host and vice-versa. This way, the traffic headed from your guest to your host (and vice versa) never leaves your computer, since it knows the routes to the guest and the host respectively over that NAT'd link.

    If your subnet for your bridge is 192.168.230.0/24 for example, and the LXC guest has an IP of 192.168.230.10, while your host computer has 192.168.230.1 so it behaves as a router for the guests (this is the typical NAT bridge setup, but with different IP ranges), then you should be using 192.168.230.1 in place of the LAN address of the host system to avoid data leaking to the LAN network.

    • 1